The Florida Senate BILL ANALYSIS AND FISCAL IMPACT STATEMENT (This document is based on the provisions contained in the legislation as of the latest date listed below.) BILL: CS/CS/SB 222 Prepared By: The Professional Staff of the Committee on Judiciary INTRODUCER: SUBJECT: Communications, Energy and Public Utilities Committee; Commerce and Tourism Committee; and Senator Hukill Electronic Commerce DATE: March 30, 2015 REVISED: ANALYST STAFF DIRECTOR REFERENCE ACTION 1. Harmsen McKay CM Fav/CS 2. Clift/Wiehle Caldwell CU Fav/CS 3. Procaccini Cibula JU Pre-meeting Please see Section IX. for Additional Information: COMMITTEE SUBSTITUTE - Substantial Changes I. Summary: CS/CS/SB 222 creates the Computer Abuse and Data Recovery Act (CADRA), which establishes a civil cause of action for harm or loss caused by the unauthorized access or hacking of a protected computer owned by a for-profit or not-for-profit business. The bill provides a definition for authorized user, to be a third-party agent, contractor, consultant, or employee, who is granted, otherwise blocked, access by the owner, operator, lessee of the protected computer, or the owner of the protected information stored in the computer. Remedies created by the bill include the recovery of actual damages, lost profits, economic damages, and injunctive or other equitable relief. II. Present Situation: Hacking is the unauthorized access of a computer or its related technologies, usually with intent to cause harm. 1 Currently, hackers are subject to criminal and limited civil penalties under the Florida Computer Crimes Act (CCA) and the federal Computer Fraud and Abuse Act (CFAA). 1 Eric J. Sinrod, William P. Reilly, Cyber-Crimes: A Practical Approach to the Application of Federal Computer Crime Laws, 16 SANTA CLARA COMPUTER & HIGH TECH. L.J. 177 (2000).
BILL: CS/CS/SB 222 Page 2 Hacking by insiders or employees poses a significant threat to businesses because employees have ready access to valuable or significant information, 2 but challenges to the prosecution of hacking by employees exist. For example, the CCA exempts employees acting within the scope of their lawful employment from prosecution for criminal actions. 3 Civil actions brought under the CFAA must have damages of $5,000 or more, or must be based on other specific harm. 4 Additionally, federal appellate circuit courts are split on the application of the CFAA to employee hackers. 5, 6 Computer Fraud and Abuse Act The CFAA 7 provides criminal penalties for individuals who either without authorization, or in excess of authorized access: Obtain national security information; Access a computer and obtain confidential information; Trespass in a government computer; Access a computer to commit a fraud; Damage a computer; Traffic in computer passwords; or Make threats involving computers. The CFAA also provides civil remedies if damages exceed $5,000, hamper medical care, physically harm a person, or threaten national security, public safety, or health. 8 The CFAA does not define without authorization, but does define to exceed authorized access as to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter. 9 Florida Computer Crimes Act In 1978, the Legislature created the CCA 10 to address the problem of computer-related crime in government and the private sector. 11 The CCA criminalizes certain offenses against intellectual 2 U.S. Department of Homeland Security, Increase in Insider Threat Cases Highlight Significant Risks to Business Networks and Proprietary Information, (September 23, 2014)https://www.ic3.gov/media/2014/140923.aspx; see also, s. 815.02, F.S. 3 Section 815.06(7)(b), F.S. (2014). 4 18 U.S.C. 1030(c)(4)(A)(i)(I)-(V). 5 U.S. Department of Justice, Prosecuting Computer Crimes, (Office of Legal Education 2009) from http://www.justice.gov/criminal/cybercrime/docs/ccmanual.pdf. 6 Compare United States v. Nosal, 676 F. 3d 854 (9th Cir. 2012) (Finding that an employee hacker can only exceed authorization by accessing files outside the scope of her use-authorization (e.g., stealing a co-workers password to access information)) with United States v. Rodriguez, 628 F. 3d 1258 (11th Cir. 2010) (Finding that an employee hacker who uses information obtained within the scope of her normal use authorization exceeds authorization by using the information in a manner contrary to the business interests or use agreement). 7 18 U.S.C. 1030. 8 18 U.S.C. 1030(g). 9 18 U.S.C. 1030(e)(6). 10 Sections 815.01-815.06, F.S. 11 Chapter 78-92, Laws of Fla.; s. 815.01-02, F.S.
BILL: CS/CS/SB 222 Page 3 property and offenses against users of computers, computer systems, computer networks, and electronic devices. Offenses against Intellectual Property A person commits an offense against intellectual property under the CCA when he or she willfully, knowingly, and without authorization: Introduces a contaminant into a computer or its related technologies; Modifies, renders unavailable, or destroys data, programs, or supporting documentation in a computer or its related technologies; or Discloses or takes data, programs, or supporting documentation which is a trade secret or is confidential that is in a computer or its related technologies. Offenses against Computer Users A person commits an offense against computer users under the CCA when he or she willfully, knowingly, and without authorization: Accesses, destroys, injures, or damages any computer or its related technologies; Disrupts the ability to transmit data to or from an authorized user of a computer or its related technologies; Destroys, takes, injures, modifies, or damages equipment or supplies used or intended to be used in a computer or its related technologies; Introduces any computer contaminant into any computer or its related technologies; or Engages in audio or video surveillance of an individual by accessing any inherent feature or component of a computer or its related technologies, including accessing the data or information thereof that is stored by a third party. The CCA does not provide a civil remedy for offenses against intellectual property, but it does enable an owner or lessee of an affected computer or its related technologies to bring a civil action 12 for compensatory damages against any person convicted of an offense against computer users under s. 815.06, F.S. 13 Employees acting under the scope of their authorization are specifically exempted from this civil cause of action under the CCA. 14 The civil action provided for in s. 815.04, F.S., is generally disfavored as a more costly and timeconsuming option than necessary because it must be preceded by a criminal conviction under the CCA. 15 As an alternative, litigants generally proceed under a federal CFAA claim. 16 12 Section 815.06(4), F.S. 13 Section 815.06(5)(a), F.S. 14 Section 815.06(7)(b), F.S. 15 Robert Kain, Federal Computer Fraud and Abuse Act: Employee Hacking Legal in California and Virginia, But Illegal in Miami, Dallas, Chicago, and Boston, 87 FLA. BAR. J., (January, 2013) http://www.floridabar.org/divcom/jn/jnjournal01.nsf/8c9f13012b96736985256aa900624829/83a2364f8efc84e385257a e200647255!opendocument 16 Id.
BILL: CS/CS/SB 222 Page 4 III. Effect of Proposed Changes: The bill creates the Computer Abuse and Data Recovery Act (CADRA) in ch. 668, F.S. It directs that CADRA be liberally construed to protect owners, operators, and lessees of a protected computer from harm or losses caused by the unauthorized access to the protected computer. The bill creates a civil action available to those injured by an individual who knowingly and with intent to cause harm or loss: Obtains information from a protected computer without authorization, and as a result, causes a harm or loss; Causes the transmission of a program, code, or command from a protected computer without authorization, and as a result, causes a harm or loss; or Traffics in any technological access barrier (e.g., password) through which access to a protected computer may be obtained without authorization. In the civil action, the injured party has the following civil remedies available: Recovery of actual damages; Recovery of the violator s profits that are not included in the plaintiff s damages; Injunctive or other equitable relief to prevent a future violation; and Return of the misappropriated information, program, or code, and all copies. The bill also directs courts to award attorney s fees to the prevailing party. An injured party victim must commence a civil action within 3 years after the violation or 3 years after the violation was discovered, or should have been discovered with due diligence. This statute of limitations is shorter than Florida s 4-year default statute of limitations, 17 but longer than the 2-year statute of limitations provided for in the federal CFAA. 18 Relief provided under this bill is available as a supplement to other remedies under state and federal law. If a criminal proceeding brought under the CCA results in a final judgment or decree in favor of the state, the defendant is estopped from denying or disputing the same matters in any subsequent civil action brought under CADRA. The bill excludes from its provisions: Any lawfully authorized investigative, protective, or intelligence activity of any law enforcement agency, regulatory agency, or political subdivision of Florida, any other state, the United States, or any foreign country, and Any provider of an interactive computer service, of an information service, or of a communications service, if the provider provides the transmission, storage, or caching of electronic communications or messages of a person other than the provider, related telecommunications or commercial mobile radio services, or content provided by a person other than the provider. 17 Section 95.11(3)(f), F.S. 18 18 U.S.C. 1030(g
BILL: CS/CS/SB 222 Page 5 The bill provides definitions, including for the term without authorization. This definition states that the term does not include circumventing a technological measure that does not effectively control access to the protected computer or the information stored in the protected computer. This wording imposes a responsibility on businesses to establish and maintain effective technological measures such as passwords, because hackers who circumvent a technological measure that does not effectively control access to the protected computer act outside the scope of liability created by this bill. The definitions do not resolve uncertainties about application of the liability provisions to an employee who is permitted access to the relevant information as part of their duties, but acts outside those duties with resulting harm or loss to the employer. However, permission to access a business private computer is terminated upon cessation of the third-party agent, contractor, consultant, or employee s employment. The phrase owner of information appears to be limited to the owner of information stored in the protected computer who uses the information in connection with the operation of a business as that is the terminology used in creating the liability. As such, the bill does not create a cause of action for an individual whose personal information: is stored on a business computer, is accessed by a hacker, and is fraudulently used to the individual s harm or loss. It would, however, protect the owner of that business computer (assuming adequate technological measures). The bill takes effect October 1, 2015. IV. Constitutional Issues: A. Municipality/County Mandates Restrictions: This bill does not require counties or municipalities to spend funds or limit their authority to raise revenue or receive state-shared revenues as specified in Article VII, s. 18 of the Florida Constitution. B. Public Records/Open Meetings Issues: C. Trust Funds Restrictions: V. Fiscal Impact Statement: A. Tax/Fee Issues:
BILL: CS/CS/SB 222 Page 6 B. Private Sector Impact: The bill provides an alternate civil remedy for businesses affected by specific hacking acts. C. Government Sector Impact: According to the Office of the Florida State Courts Administrator, the creation of a new civil cause of action is expected to result in an additional court workload. However, the office was unable to determine the fiscal impact of the bill due to the lack of data needed to determine the expected increase in judicial workload. 19 VI. Technical Deficiencies: VII. Related Issues: VIII. Statutes Affected: This bill creates the following sections of the Florida Statutes: 668.801, 668.802, 668.803, 668.804, and 668.805. IX. Additional Information: A. Committee Substitute Statement of Substantial Changes: (Summarizing differences between the Committee Substitute and the prior version of the bill.) CS by Communications, Energy, and Public Utilities on March 10, 2015: Revises the definition for authorized user and expands the definition of the term without authorization to further clarify the circumstances under which the owner of a protected computer is eligible to seek judicial relief under the Computer Abuse and Data Recovery Act; provides an exclusion from liability for certain internet access service providers and on-line storage providers; and makes a technical change. CS by Commerce and Tourism on February 16, 2015: Clarifies that a victim may seek the return of misappropriated programs, misappropriated codes, and misappropriated information under s. 668.804, F.S. B. Amendments: This Senate Bill Analysis does not reflect the intent or official position of the bill s introducer or the Florida Senate. 19 Office of the State Courts Administrator, 2015 Judicial Impact Statement for CS/SB 222, (March 9, 2015).